Re: MAC blocking

["Dale W. Carder" <dwcarder () doit wisc edu>]

Thus spake Chuck Swiger (chuck () codefab com) on Mon, Nov 28, 2005 at 05:09:32PM -0500:
> I would say it's not safe to assume that VLANs can be trusted to  
> separate traffic with complete reliability, especially if it is  
> possible for a malicious machine to gain access to a trunk port:
>
> http://www.sans.org/resources/idfaq/vlan.php

Anything is possible with proper misconfiguration.

If you decide that for whatever limitaion makes you need to use vlans
instead of separate physical infrastructure, you need to know what
you are doing.

In switched networks, there are huge implications as to how 802.1q,
Vlan 1 (particularly on catalyst), VTP (yuck), STP, CDP, etc. 
interoperate with your security goals.

But, some of the nicer features that have appeared lately for layer
2 include switches that can do edge port ACL's, static mac to port 
provisioning, 802.1X, VMPS, private vlans...  The layer 2 toolbox
is getting a bit better.

Dale

----------------------------------
Dale W. Carder - Network Engineer
University of Wisconsin at Madison  
http://net.doit.wisc.edu/~dwcarder
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards